/* detection functions */
int rule13666eval(void *p) {
const uint8_t *cursor_normal = 0, *cursor_offBmi;
SFSnortPacket *sp = (SFSnortPacket *) p;
const uint8_t *record_size_ptr, *beg_of_payload, *end_of_payload;
uint32_t recordType, offBmi, bcSize;
uint16_t bcWidth,bcHeight,bcPlanes,bcBitCount;
uint64_t Value; // For storing exploit calculations
if(sp == NULL)
return RULE_NOMATCH;
if(sp->payload == NULL)
return RULE_NOMATCH;
// flow:established, to_client;
if (checkFlow(p, rule13666options[0]->option_u.flowFlags) <= 0 )
return RULE_NOMATCH;
// flowbits:isset "file.emf";
if (processFlowbits(p, rule13666options[1]->option_u.flowBit) <= 0)
return RULE_NOMATCH;
// content:" EMF|00 00 01 00|";
if (contentMatch(p, rule13666options[2]->option_u.content, &cursor_normal) > 0) {
// content:"|01 00 00 00|", offset -48, depth 4, relative;
if (contentMatch(p, rule13666options[3]->option_u.content, &cursor_normal) > 0) {
// byte_jump:size 4, relative, endian little;
if (byteJump(p, rule13666options[4]->option_u.byte, &cursor_normal) > 0) {
if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0)
return RULE_NOMATCH;
// Now we're at the start of records. Find the interesting ones.
while(cursor_normal < end_of_payload) {
// We point to record size so we're at the right state for the relative jump
// if it turns out the record doesn't have a BITMAPCOREHEADER.
record_size_ptr = cursor_normal - 4;
// content:"|5E 00 00 00|", offset -8, depth 4, relative; XXX /* EMR_CREATEDIBPATTERNBRUSHPT */
if (contentMatch(p, rule13666options[5]->option_u.content, &cursor_normal) > 0
// content:"|51 00 00 00|", offset -8, depth 4, relative; XXX /* EMR_STRETCHDIBITS */
|| (contentMatch(p, rule13666options[6]->option_u.content, &cursor_normal) > 0))
{
recordType = *(cursor_normal - 4);
switch(recordType)
{
case EMR_CREATEDIBPATTERNBRUSHPT:
DEBUG_SO(printf("matched EMR_CREATEDIBPATTERNBRUSHPT\n");)
if (cursor_normal + 28 > end_of_payload) // Make sure there's enough room
return RULE_NOMATCH;
// extract offset to BITMAPCOREHEADER. can't use byte_jump because it could put us
// past end of packet since the "jump" actually starts from an earlier offset
cursor_offBmi = cursor_normal + 12;
offBmi = read_little_32(cursor_offBmi);
break;
case EMR_STRETCHDIBITS:
DEBUG_SO(printf("matched EMR_STRETCHDIBITS\n");)
if (cursor_normal + 60 > end_of_payload)
return RULE_NOMATCH;
// read offBmiSrc field
cursor_offBmi = cursor_normal + 44;
offBmi = read_little_32(cursor_offBmi);
break;
default:
DEBUG_SO(printf("This case must not happen\n");)
return RULE_NOMATCH;
}
if (offBmi + cursor_normal - 4 < cursor_normal) // check integer overflow
return RULE_NOMATCH;
// move cursor to the beginning of a device independent bitmap (DIB)
DEBUG_SO(printf("offBmi=0x%08x\n", offBmi);)
cursor_normal += offBmi - 4;
if(cursor_normal + 12 > end_of_payload)
return RULE_NOMATCH;
// match size of BITMAPCOREHEADER to determine if it's the proper structure
bcSize = read_little_32(cursor_normal);
cursor_normal += 4;
DEBUG_SO(printf("bcSize=0x%08x\n", bcSize);)
if (bcSize == 12) // checks BITMAPCOREHEADER
/*
* ruleMatch
*
* p: packet data structure, same as the one found in snort.
* options: NULL terminated list of rule options
*
* Returns:
* > 0 : match found
* = 0 : no match found
*
* Predefined constants:
* (see sf_snort_plugin_api.h for more values)
* RULE_MATCH - if asn1 specifier is found within buffer
* RULE_NOMATCH - if asn1 specifier is not found within buffer
*
*/
int ruleMatchInternal(SFSnortPacket *p, Rule* rule, u_int32_t optIndex, u_int8_t **cursor)
{
u_int8_t *thisCursor = NULL, *startCursor = NULL;
u_int8_t *tmpCursor = NULL;
int retVal = RULE_NOMATCH;
u_int32_t notFlag = 0;
int thisType;
ContentInfo *thisContentInfo = NULL;
int startAdjust = 0;
u_int32_t origFlags = 0;
int32_t origOffset = 0;
u_int32_t origDepth = 0;
int continueLoop = 1;
PCREInfo *thisPCREInfo = NULL;
if (cursor)
startCursor = thisCursor = *cursor;
if (optIndex >= rule->numOptions || !rule->options[optIndex] )
return RULE_NOMATCH;
thisType = rule->options[optIndex]->optionType;
/* Do some saving off of some info for recursion purposes */
switch (thisType)
{
case OPTION_TYPE_CONTENT:
thisContentInfo = rule->options[optIndex]->option_u.content;
origFlags = thisContentInfo->flags;
origDepth = thisContentInfo->depth;
origOffset = thisContentInfo->offset;
break;
case OPTION_TYPE_PCRE:
thisPCREInfo = rule->options[optIndex]->option_u.pcre;
origFlags = thisPCREInfo->flags;
break;
default:
/* Other checks should not need to check again like
* PCRE & Content do.
*/
break;
}
do
{
switch (thisType)
{
case OPTION_TYPE_CONTENT:
retVal = contentMatch(p, rule->options[optIndex]->option_u.content, &thisCursor);
notFlag = rule->options[optIndex]->option_u.content->flags & NOT_FLAG;
break;
case OPTION_TYPE_PCRE:
retVal = pcreMatch(p, rule->options[optIndex]->option_u.pcre, &thisCursor);
notFlag = rule->options[optIndex]->option_u.pcre->flags & NOT_FLAG;
break;
case OPTION_TYPE_FLOWBIT:
retVal = processFlowbits(p, rule->options[optIndex]->option_u.flowBit);
notFlag = rule->options[optIndex]->option_u.flowBit->flags & NOT_FLAG;
break;
case OPTION_TYPE_BYTE_TEST:
retVal = byteTest(p, rule->options[optIndex]->option_u.byte, thisCursor);
notFlag = rule->options[optIndex]->option_u.byte->flags & NOT_FLAG;
break;
case OPTION_TYPE_BYTE_JUMP:
retVal = byteJump(p, rule->options[optIndex]->option_u.byte, &thisCursor);
notFlag = rule->options[optIndex]->option_u.byte->flags & NOT_FLAG;
break;
case OPTION_TYPE_FLOWFLAGS:
retVal = checkFlow(p, rule->options[optIndex]->option_u.flowFlags);
notFlag = rule->options[optIndex]->option_u.flowFlags->flags & NOT_FLAG;
break;
case OPTION_TYPE_ASN1:
retVal = detectAsn1(p, rule->options[optIndex]->option_u.asn1, thisCursor);
notFlag = rule->options[optIndex]->option_u.asn1->flags & NOT_FLAG;
break;
case OPTION_TYPE_CURSOR:
retVal = checkCursor(p, rule->options[optIndex]->option_u.cursor, thisCursor);
notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG;
break;
case OPTION_TYPE_SET_CURSOR:
retVal = setCursor(p, rule->options[optIndex]->option_u.cursor, &thisCursor);
notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG;
break;
case OPTION_TYPE_HDR_CHECK:
retVal = checkHdrOpt(p, rule->options[optIndex]->option_u.hdrData);
notFlag = rule->options[optIndex]->option_u.hdrData->flags & NOT_FLAG;
break;
case OPTION_TYPE_BYTE_EXTRACT:
retVal = extractValue(p, rule->options[optIndex]->option_u.byteExtract, thisCursor);
notFlag = rule->options[optIndex]->option_u.byteExtract->flags & NOT_FLAG;
break;
case OPTION_TYPE_LOOP:
retVal = loopEval(p, rule->options[optIndex]->option_u.loop, &thisCursor);
notFlag = rule->options[optIndex]->option_u.loop->flags & NOT_FLAG;
break;
case OPTION_TYPE_PREPROCESSOR:
retVal = preprocOptionEval(p, rule->options[optIndex]->option_u.preprocOpt, &thisCursor);
notFlag = rule->options[optIndex]->option_u.preprocOpt->flags & NOT_FLAG;
break;
}
if ( notFlag )
{
if ((retVal <= RULE_NOMATCH))
{
/* Set this as a positive match -- a ! was specified. */
retVal = RULE_MATCH;
}
else /* Match */
{
retVal = RULE_NOMATCH;
}
}
if (retVal > RULE_NOMATCH)
{
/* This one matched. Depending on type, check the next one
* either in a loop, or not, saving cursor temporarily.
*/
if (optIndex < rule->numOptions -1) /* hehe, optIndex is 0 based */
{
int nestedRetVal;
/* Here's where it gets tricky... */
if (thisType == OPTION_TYPE_CONTENT)
{
/* If this is a content option, we've found a match.
* Save off the end-point of the current match.
* Less the length of current match plus 1.
*
* This gives us the starting point to check for this
* content again if subsequent options fail. That starting
* point is the byte AFTER the beginning of the current
* match.
*/
if ((origFlags & CONTENT_RELATIVE) && startCursor)
{
/* relative content.
* need to adjust offset/depth as well
*/
tmpCursor = thisCursor -
thisContentInfo->patternByteFormLength + thisContentInfo->incrementLength;
/* Start Adjust is the difference between the old
* starting point and the 'next' starting point. */
startAdjust = tmpCursor - startCursor;
}
else
{
/* non-relative content */
tmpCursor = thisCursor -
thisContentInfo->patternByteFormLength + thisContentInfo->incrementLength;
}
}
else if (thisType == OPTION_TYPE_PCRE)
{
/* Start next search at end of current pattern */
/* XXX: Could miss something here if part of pattern
* repeats but not easy to tell with PCRE.
*/
tmpCursor = thisCursor;
}
nestedRetVal = ruleMatchInternal(p, rule, optIndex+1, &thisCursor);
if (nestedRetVal == RULE_MATCH)
{
/* Cool, everyone after us matched, we're done with a match */
if (cursor)
*cursor = thisCursor;
break;
}
/* If Content or PCRE, look farther into the packet
* for another match. */
if (((thisType == OPTION_TYPE_CONTENT) ||
(thisType == OPTION_TYPE_PCRE))
&& !notFlag)
{
/* Only try to find this content again if it is a
* positive match.
*/
/* And only if the next option is relative */
if (!isRelativeOption(rule->options[optIndex+1]))
{
/* Match failed, next option is not relative.
* We're done. */
retVal = nestedRetVal;
break;
}
switch (thisType)
{
case OPTION_TYPE_CONTENT:
if (origFlags & CONTENT_RELATIVE)
{
if ((int32_t)(origDepth - startAdjust) < (int32_t)thisContentInfo->patternByteFormLength)
{
/* Adjusted depth would be less than the content we're searching for?
* we're done. */
retVal = nestedRetVal;
continueLoop = 0;
}
else
{
/* For contents that were already relative, adjust the offset & depth fields
* from their original values. Makes it easy to determine when we'll be out
* of the original bounds, relative to the original cursor. */
thisContentInfo->offset = origOffset + startAdjust;
thisContentInfo->depth = origDepth - startAdjust;
/* And use the original cursor that was passed in */
thisCursor = startCursor;
}
}
else
{
thisContentInfo->flags |= CONTENT_RELATIVE;
/* For contents that were not already relative, we simply use the adjusted
* cursor. Set thisCursor to tmpCursor as calculated above */
thisCursor = tmpCursor;
}
break;
case OPTION_TYPE_PCRE:
/* Doesn't matter if it was already relative,
* just make it relative anyway.
*/
thisPCREInfo->flags |= CONTENT_RELATIVE;
/* For PCREs that were not already relative, we use the cursor
* that was returned at the end of the pattern to start searching
* again. */
thisCursor = tmpCursor;
break;
}
continue;
}
/* Only need to search again when this is a
* content option. If its not, we're done. */
if (nestedRetVal <= RULE_NOMATCH)
{
/* Handle the case when an error is propigated
* via nestedRetVal.
*/
retVal = RULE_NOMATCH;
}
break;
}
else
{
/* Cool, nobody after us, we're done with a match */
if (cursor)
*cursor = thisCursor;
break;
}
}
else
{
/* No match, get outta dodge */
break;
}
} while (continueLoop);
/* Keep looping until we break or serialized content checks returns no match. */
/* Reset the flags for this content in case we added the
* relative flag above.
*/
if (thisContentInfo)
{
thisContentInfo->flags = origFlags;
thisContentInfo->offset = origOffset;
thisContentInfo->depth = origDepth;
}
if (thisPCREInfo)
{
thisPCREInfo->flags = origFlags;
}
return retVal;
}
